Apple's Better Late Than Never With OS X Security Fix

Apple has earned praise for finding and fixing a major security flaw -- but it's taking some flak for failing to synchronize the release of its iOS and OS X updates. There was a four-day window of opportunity for anyone who might have wanted to exploit the flaw in OS X after learning about it through the iOS patch. There's no indication at this point that any attacks took place, however.

Apple on Tuesday pushed a large update to its OS X Mavericks operating system that includes a patch for a significant security flaw in the software.

The vulnerability allows Net predators to hijack a secure communication channel from a device running the latest version of Apple's desktop OS and perform mischief such as intercepting user names and passwords.

The flaw affects programs made by Apple, like Safari, that use SSL to establish an encrypted channel to the Internet. Third-party apps such as Firefox and the Google Chrome browser don't contain the vulnerability.

Although the flaw is significant, it's impact probably will be limited.

"It's unlikely to have been exploited by common cybercriminals, or we would have known about the issue earlier," Kevin Haley, director of
Symantec security response, told TechNewsWorld.

"It's possible that high-end attackers who run small, focused targeted attacks have used it," he added. "We just don't know at this point."

Underestimated Security Community

Apple patched the flaw in its mobile operating system iOS last week, but it took four days for the company to address the problem in OS X.

Apparently the errant code had been in iOS as far back as version 6 of the software, which is on version 7 now. What's more, the bug is in an open source portion of the code, yet it appears Apple was the first one to publicize the error.

Once Apple released the iOS patch, security analysts began reverse-engineering it to identify the problem it was addressing. That led to the discovery of the flaw in OS X.

"Apple did a great job on finding and patching the vulnerability on their own," said Brent Bandelgar, an associate security consultant with
Neohapsis.

"However, they underestimated the ability of the security community to analyze the iOS patch and reverse-engineer the details of the vulnerability so quickly" he told TechNewsWorld. "This is why the patch release for iOS and OS X should have been coordinated rather than leaving a gap for OS X users."

Ill-Timed Flaw

News of the flaws was particularly ill-timed, breaking just as the RSA Conference, one of the largest security conferences of the year, kicked off in San Francisco, noted Grayson Milbourne, security intelligence director for
Webroot.

"Apple traditionally has had a mentality that its operating system doesn't have these types of problems," Milbourne told TechNewsWorld.

Folding the OS X patch into a mammoth upgrade may not have been the wisest course for Apple, as it resulted in a large gap between the time iOS and Mavericks users were protected from the vulnerability.

"There was a four-day window of exposure to people using those devices," Milbourne said. "I think they could have done a better job of releasing both patches at the same time so part of their user base wasn't exposed to this threat."

In addition to addressing the OS X vulnerability, the OS X update fixes sound and VPN problems, and adds a number of new features to Mavericks, including FaceTime audio calls, FaceTime call waiting, iMessage blocking, better AutoFill in Safari.

Apple did not respond to our request to comment for this story.

Better Security Model

Including the patch in a larger update might delay its implementation in some quarters.

"A 460-megabyte update is a large one for businesses who use Apple technology. That can take some time to distribute to your users," Milbourne observed.

"I would have liked to see Apple release a one-off patch that specifically addressed this bug with SSL so it could be rapidly applied," he said, "whereas a big clunky 460-megabyte update is going to take more time to deploy."

Traditionally, Apple keeps a tight grip on its ecosystem, which has both its good and bad points.

"This situation is concerning, because Apple's security model is a walled garden. That generally creates a very secure environment, but it also creates a single point of failure," said Stephen Cobb, a security evangelist with
Eset.

"Some people will say that means if you rely on Apple alone for your security, that can be a problem, but you have to weigh the doubt from this incident with the overall record of Apple for protecting systems, which is pretty good," he told TechNewsWorld. "Relative to Windows or Android, Mac and iOS users generally experience fewer problems."

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on
Google+.